Issue 116

Enforcement updates

The Belgian Data Protection Authority (DPA) imposed a fine of EUR 250,000 on Interactive Advertising Bureau Europe (IAB Europe) following an investigation. The DPA found the IAB Europe had violated multiple provisions of the GDPR including failing to establish a legal basis for processing, not maintaining record of processing activities, not appointing a DPO etc. 

The Hellenic Data Protection authority (HDPA) levied a fine of EUR 3,250,000 on OTE group in connection with a data breach reported by Cosmote Mobile Telecommunication S.A. The data breach occurred through a website hosted by OTE. Accordingly, HDPA held that OTE group is also liable for failing to implement security measures which resulted in a data breach incident. 

The Turkish Personal Data Protection Authority (KVKK) imposed a fine of TRY 1.9 million to Yemek Sepeti Elektronik Iletism Perakende Gida Lojistik for a data breach concerning a web application server within the company. The breach was not reported for 8 days which , as per the KVKK, demonstrated that Yemek Sepeti did not fulfill its obligations to take technical and administrative measures.

Guidance updates 

  • French Data Protection Authority published guidance on preventing breach incidents on cloud infrastructure.
  • Hong Kong Privacy Commissioner published guidance note on safeguarding personal data while working from home.
  • Ukraine’s Data Protection Authority published recommendations on draft data protection law.

Regulatory updates

  • Dubai International Financial Centre issued an adequacy decision recognizing Singapore, Korea and APEC Cross Border Privacy Rules for safe data transfers.
  • Brazilian Congress passed constitutional amendment for protection of personal data as a fundamental right.
  • Kentucky State Senate introduced an act relating to consumer data privacy.

US updates

  • National Institute of Standards and Technology released draft report on cybersecurity risks for enterprise risk management and governance oversight. 
  • Algorithmic Accountability Act of 2022 was introduced to House of Representatives to enhance fairness and transparency of automated decisions.  
  • A bill for Strengthening American Cybersecurity Act of 2022 was introduced to the U.S Senate. 

EU updates

  • European Data Protection Board published opinion on GDPR – CARPA (Certified Report Based Processing Activities) certification criteria.
  • European Parliament voted to ban targeted ads based on sensitive personal information. Reports Politico.
  • European Data Protection Supervisor published remarks on modern surveillance systems.

 Statements issued

  • Ireland Data Protection authority issued statement on National Digital Strategy.
  • Denmark issued statement on Austria’s Data Protection Authority’s decision on Google Analytics.

News around the globe

  • China published draft rules to regulate content providers that modify facial and voice data.
  • Norwegian Data Protection Authority issued a letter to the minister to strengthen cookie regulations.
  • Monetary Authority of Singapore published white papers on responsible use of AI by Financial institutions. 

Read our digital newsletter here.

© 2019 Reina Consulting LLP – All rights reserved